Use user specific NSSDatabase in CertLoader.

chromeos/network/network_connection_handler_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/network_connection_handler.h"
 
 #include "base/bind.h"
+#include "base/callback.h"
+#include "base/file_util.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/message_loop/message_loop.h"
+#include "base/run_loop.h"
+#include "base/strings/stringprintf.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/shill_manager_client.h"
 #include "chromeos/dbus/shill_service_client.h"
 #include "chromeos/network/network_configuration_handler.h"
 #include "chromeos/network/network_state_handler.h"
 #include "chromeos/network/onc/onc_utils.h"
+#include "crypto/nss_util.h"
+#include "crypto/nss_util_internal.h"
+#include "net/base/net_errors.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/nss_cert_database_chromeos.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 namespace {
 
 const char* kSuccessResult = "success";
 
 void ConfigureCallback(const dbus::ObjectPath& result) {
 }
 
 void ConfigureErrorCallback(const std::string& error_name,
                             const std::string& error_message) {
 }
 
 }  // namespace
 
 namespace chromeos {
 
 class NetworkConnectionHandlerTest : public testing::Test {
  public:
-  NetworkConnectionHandlerTest() {
+  NetworkConnectionHandlerTest() : user_("userhash") {
   }
   virtual ~NetworkConnectionHandlerTest() {
   }
 
   virtual void SetUp() OVERRIDE {
+    ASSERT_TRUE(user_.constructed_successfully());
+    user_.FinishInit();
+
+    test_nssdb_.reset(new net::NSSCertDatabaseChromeOS(
+        crypto::GetPublicSlotForChromeOSUser(user_.username_hash()),
+        crypto::GetPrivateSlotForChromeOSUser(
+            user_.username_hash(),
+            base::Callback<void(crypto::ScopedPK11Slot)>())));
+
+    CertLoader::Initialize();
+    CertLoader* cert_loader = CertLoader::Get();
+    cert_loader->SetCryptoTaskRunner(message_loop_.message_loop_proxy());
+    cert_loader->set_hardware_backed_for_test();
+
     // Initialize DBusThreadManager with a stub implementation.
     DBusThreadManager::InitializeWithStub();
-    message_loop_.RunUntilIdle();
+    base::RunLoop().RunUntilIdle();
     DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface()
         ->ClearServices();
-    message_loop_.RunUntilIdle();
+    base::RunLoop().RunUntilIdle();
     LoginState::Initialize();
     network_state_handler_.reset(NetworkStateHandler::InitializeForTest());
     network_configuration_handler_.reset(
         NetworkConfigurationHandler::InitializeForTest(
             network_state_handler_.get()));
+
     network_connection_handler_.reset(new NetworkConnectionHandler);
-    // TODO(stevenjb): Test integration with CertLoader using a stub or mock.
     network_connection_handler_->Init(network_state_handler_.get(),
                                       network_configuration_handler_.get());
   }
 
   virtual void TearDown() OVERRIDE {
     network_connection_handler_.reset();
     network_configuration_handler_.reset();
     network_state_handler_.reset();
+    CertLoader::Shutdown();
     LoginState::Shutdown();
     DBusThreadManager::Shutdown();
   }
 
  protected:
   bool Configure(const std::string& json_string) {
     scoped_ptr<base::DictionaryValue> json_dict =
         onc::ReadDictionaryFromJson(json_string);
     if (!json_dict) {
       LOG(ERROR) << "Error parsing json: " << json_string;
       return false;
     }
     DBusThreadManager::Get()->GetShillManagerClient()->ConfigureService(
         *json_dict,
         base::Bind(&ConfigureCallback),
         base::Bind(&ConfigureErrorCallback));
-    message_loop_.RunUntilIdle();
+    base::RunLoop().RunUntilIdle();
     return true;
   }
 
   void Connect(const std::string& service_path) {
     const bool check_error_state = true;
     network_connection_handler_->ConnectToNetwork(
         service_path,
         base::Bind(&NetworkConnectionHandlerTest::SuccessCallback,
                    base::Unretained(this)),
         base::Bind(&NetworkConnectionHandlerTest::ErrorCallback,
                    base::Unretained(this)),
         check_error_state);
-    message_loop_.RunUntilIdle();
+    base::RunLoop().RunUntilIdle();
   }
 
   void Disconnect(const std::string& service_path) {
     network_connection_handler_->DisconnectNetwork(
         service_path,
         base::Bind(&NetworkConnectionHandlerTest::SuccessCallback,
                    base::Unretained(this)),
         base::Bind(&NetworkConnectionHandlerTest::ErrorCallback,
                    base::Unretained(this)));
-    message_loop_.RunUntilIdle();
+    base::RunLoop().RunUntilIdle();
   }
 
   void SuccessCallback() {
     result_ = kSuccessResult;
   }
 
   void ErrorCallback(const std::string& error_name,
                      scoped_ptr<base::DictionaryValue> error_data) {
     result_ = error_name;
   }
 
   std::string GetResultAndReset() {
     std::string result;
     result.swap(result_);
     return result;
   }
 
   std::string GetServiceStringProperty(const std::string& service_path,
                                        const std::string& key) {
     std::string result;
     const base::DictionaryValue* properties =
         DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface()->
         GetServiceProperties(service_path);
     if (properties)
       properties->GetStringWithoutPathExpansion(key, &result);
     return result;
   }
 
+  void StartCertLoader() {
+    CertLoader::Get()->StartWithNSSDB(test_nssdb_.get());
+    base::RunLoop().RunUntilIdle();
+  }
+
+  bool ImportClientCertAndKey(const std::string& pkcs12_file,
+                              net::NSSCertDatabase* nssdb,
+                              net::CertificateList* loaded_certs) {
+    std::string pkcs12_data;
+    base::FilePath pkcs12_path =
+        net::GetTestCertsDirectory().Append(pkcs12_file);
+    if (!base::ReadFileToString(pkcs12_path, &pkcs12_data))
+      return false;
+
+    scoped_refptr<net::CryptoModule> module(
+        net::CryptoModule::CreateFromHandle(nssdb->GetPrivateSlot().get()));
+    return net::OK ==
+        nssdb->ImportFromPKCS12(module, pkcs12_data, base::string16(), false,
+                                loaded_certs);
+  }
+
   scoped_ptr<NetworkStateHandler> network_state_handler_;
   scoped_ptr<NetworkConfigurationHandler> network_configuration_handler_;
   scoped_ptr<NetworkConnectionHandler> network_connection_handler_;
+  crypto::ScopedTestNSSChromeOSUser user_;
+  scoped_ptr<net::NSSCertDatabaseChromeOS> test_nssdb_;
   base::MessageLoopForUI message_loop_;
   std::string result_;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(NetworkConnectionHandlerTest);
 };
 
 namespace {
 
 const char* kConfigConnectable =
@@ skipping 40 matching lines @@
             GetResultAndReset());
 
   EXPECT_TRUE(Configure(kConfigRequiresActivation));
   Connect("cellular1");
   EXPECT_EQ(NetworkConnectionHandler::kErrorActivationRequired,
             GetResultAndReset());
 }
 
 namespace {
 
-const char* kConfigRequiresCertificate =
+const char* kConfigRequiresCertificateTemplate =
     "{ \"GUID\": \"wifi4\", \"Type\": \"wifi\", \"Connectable\": false,"
     "  \"Security\": \"802_1x\","
     "  \"UIData\": \"{"
     "    \\\"certificate_type\\\": \\\"pattern\\\","
     "    \\\"certificate_pattern\\\": {"
-    "      \\\"Subject\\\": { \\\"CommonName\\\": \\\"Foo\\\" }"
+    "      \\\"Subject\\\": {\\\"CommonName\\\": \\\"%s\\\" }"
     "   } }\" }";
 
 }  // namespace
 
-// Handle certificates. TODO(stevenjb): Add certificate stubs to improve
-// test coverage.
-TEST_F(NetworkConnectionHandlerTest,
-       NetworkConnectionHandlerConnectCertificate) {
-  EXPECT_TRUE(Configure(kConfigRequiresCertificate));
+// Handle certificates.
+TEST_F(NetworkConnectionHandlerTest, ConnectCertificateMissing) {
+  StartCertLoader();
+
+  EXPECT_TRUE(Configure(
+      base::StringPrintf(kConfigRequiresCertificateTemplate, "unknown")));
+  Connect("wifi4");
+  EXPECT_EQ(NetworkConnectionHandler::kErrorCertificateRequired,
+            GetResultAndReset());
+}
+
+TEST_F(NetworkConnectionHandlerTest, ConnectWithCertificateSuccess) {
+  StartCertLoader();
+
+  net::CertificateList certs;
+  ASSERT_TRUE(ImportClientCertAndKey(
+      "websocket_client_cert.p12", test_nssdb_.get(), &certs));
+  ASSERT_EQ(1U, certs.size());
+
+  EXPECT_TRUE(Configure(
+      base::StringPrintf(kConfigRequiresCertificateTemplate,
+                         certs[0]->subject().common_name.c_str())));
+
+  Connect("wifi4");
+  EXPECT_EQ(kSuccessResult, GetResultAndReset());
+}
+
+TEST_F(NetworkConnectionHandlerTest, ConnectCertificateFromSecondaryUserFails) {
+  StartCertLoader();
+
+  // Create secondary user and get it's nssdb.
+  crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
+  ASSERT_TRUE(secondary_user.constructed_successfully());
+  secondary_user.FinishInit();
+
+  scoped_ptr<net::NSSCertDatabaseChromeOS>secondary_nssdb(
+      new net::NSSCertDatabaseChromeOS(
+           crypto::GetPublicSlotForChromeOSUser(secondary_user.username_hash()),
+           crypto::GetPrivateSlotForChromeOSUser(
+               secondary_user.username_hash(),
+               base::Callback<void(crypto::ScopedPK11Slot)>())));
+
+  // Import client cert to the secondary user's nssdb. The certificate should
+  // not be visible to the cert loader, so the connection request should fail.
+  net::CertificateList certs;
+  ASSERT_TRUE(ImportClientCertAndKey(
+      "websocket_client_cert.p12", secondary_nssdb.get(), &certs));
+  ASSERT_EQ(1U, certs.size());
+
+  EXPECT_TRUE(Configure(
+      base::StringPrintf(kConfigRequiresCertificateTemplate,
+                         certs[0]->subject().common_name.c_str())));
+
   Connect("wifi4");
   EXPECT_EQ(NetworkConnectionHandler::kErrorCertificateRequired,
             GetResultAndReset());
 }
 
 TEST_F(NetworkConnectionHandlerTest,
+       ConnectWithCertificateRequestedBeforeCertsAreLoaded) {
+  net::CertificateList certs;
+  ASSERT_TRUE(ImportClientCertAndKey(
+      "websocket_client_cert.p12", test_nssdb_.get(), &certs));
+  ASSERT_EQ(1U, certs.size());
+
+  EXPECT_TRUE(Configure(
+      base::StringPrintf(kConfigRequiresCertificateTemplate,
+                         certs[0]->subject().common_name.c_str())));
+
+  Connect("wifi4");
+
+  // Connect request came before the cert loader loaded certificates, so the
+  // connect request should have been throttled until the certificates are
+  // loaded.
+  EXPECT_EQ("", GetResultAndReset());
+
+  StartCertLoader();
+
+  // |StartCertLoader| should have triggered certificate loading.
+  // When the certificates got loaded, the connection request should have
+  // proceeded and eventually succeeded.
+  EXPECT_EQ(kSuccessResult, GetResultAndReset());
+}
+
+TEST_F(NetworkConnectionHandlerTest,
        NetworkConnectionHandlerDisconnectSuccess) {
   EXPECT_TRUE(Configure(kConfigConnected));
   Disconnect("wifi1");
   EXPECT_EQ(kSuccessResult, GetResultAndReset());
 }
 
 TEST_F(NetworkConnectionHandlerTest,
        NetworkConnectionHandlerDisconnectFailure) {
   Connect("no-network");
   EXPECT_EQ(NetworkConnectionHandler::kErrorConfigureFailed,
             GetResultAndReset());
 
   EXPECT_TRUE(Configure(kConfigConnectable));
   Disconnect("wifi0");
   EXPECT_EQ(NetworkConnectionHandler::kErrorNotConnected, GetResultAndReset());
 }
 
 }  // namespace chromeos